3a01d0131ab2e5854e6e01603fcd33ae33b76cb5562de3974b27472cb6054da2

General

Target

47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Size

1.2MB
MD5

47814959cdb37a0fdd899077b0beabb7
SHA1

b4387a2c712ac2cbb58edda927c5378634a0a3dd
SHA256

3a01d0131ab2e5854e6e01603fcd33ae33b76cb5562de3974b27472cb6054da2
SHA512

d7cf9ca1db735b8b05167a4cdde55a54d14f899814219f0c7af4e0fcdb439a8482057f635c5c08a57d78dda6d08ccf0a78c0b330fd9c7aa3fae8ed4ec24bd87b
SSDEEP

24576:XLZT6ecMnbj9lJmR/tHMna2NPCiWZZXb87jcMeSGauWrziWC:XLN6ecMnbhlJmR/2apFbbJMeSGuvC

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}\StubPath = "C:\\Windows\\system32\\msnmsgr.exe Restart"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/468-0-0x0000000013140000-0x000000001314F000-memory.dmp	upx
behavioral2/memory/468-5-0x0000000013140000-0x000000001314F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\system32\\msnmsgr.exe"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\system32\\msnmsgr.exe"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msnmsgr.exe	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnmsgr.exe	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 4552 set thread context of 492	4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	87

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 468 wrote to memory of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 468 wrote to memory of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 468 wrote to memory of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 468 wrote to memory of 4552	468	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	83
PID 4552 wrote to memory of 492	4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	87
PID 4552 wrote to memory of 492	4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	87
PID 4552 wrote to memory of 492	4552	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies registry class
    PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-0-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/468-5-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/4552-4-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/4552-2-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/4552-1-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/4552-6-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/4552-9-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads